company is posting job applicants on their website, with contact information

A reader writes:

I recently applied for a job that was posted on the company’s website. I applied electronically using their online form. I noticed my full name and cover letter are now posted on their public website, along with similar information from many other applicants. For those applicants who included contact info such as address or phone number, that has been posted on the website as well.

Screen Shot 2014-01-16 at 6.30.59 PMThere’s a section of their website labeled “Applications” in which you can search by type of position, then click on anyone’s name and see their cover letter. I attached a screen shot. The website doesn’t say anywhere what this is for or provide any explanation for it. 

Can they do this?

Whoa. While they can do this in a legal sense, they very much should not do this. And it’s so unusual that I have to think it’s a mistake — that what you’re seeing is their internal applicant tracking system and they don’t realize that it’s accidentally been made available to the public.

I would contact them and say, “I’m not sure if you’re aware, but a long list of people who have applied for jobs with you is currently displaying on your website, along with applicants’ private contact information and cover letters. It’s showing up at (URL). I suspect this was a technical error, but as one of the applicants whose information is displayed there, is there a way to get it removed?”

{ 160 comments… read them below }

  1. Jubilance*

    Wow.

    Sounds like it’s a page that should be on the company intranet/behind a firewall where only HR can see it, but they had a coding issue. I’d definitely bring it to their attention immediately.

    1. Adam*

      Gotta be. The site’s too blocky and admin like to be something to show on a public browser. Must be a bug somewhere. They’ll probably be really embarrassed when they find out.

      1. A Jane*

        The website seems so old, I wouldn’t be surprised if there wasn’t a website administrator or someone who understood the back end.

          1. Gene*

            Between the part of the url and the info in the image, it was easy, probably took me under 2 minutes. And the IT person in that agency (I’m not one, just good at searching) should be slapped.

            1. The Wall Of Creativity*

              I can find the page just from words in the image. Unfortunately, you probably need to take the image down. Still, at least I now know we’re not talking about Operation Smile.

              1. A Bug!*

                Yeah, the image provides sufficient search terms to pinpoint the site as the only Google search result.

              2. ThursdaysGeek*

                I was trying to figure out how just those words would be enough. But you’re right. I found it too. Right now, the spam postings cover all of the first page and part of the second, and they started a couple of days ago, so this was found by the spammers before the AAM posting. I don’t think taking down the image will help, because it probably didn’t hurt.

                1. KLH*

                  I love how casual Operation Smile bashing is now a thing here. May their infamy extend across the galaxy and never attract a desperate applicant again.

          2. Steve*

            I intially thought “there’s no way I’ll get a hit on that minimal info.” Zoinks, there it was. Then I thought “there’s nothing here that’s all that confidential other than applicants names.” I thought maybe there were some transparency regulations that required them to post applicants names. Until I realized I had just clicked on some poor folks who hadn’t bothered to write any kind of cover letter – a few more clicks and there were people’s names, addresses, phones, work history, etc.

            I actually clicked on the “email us” link and reported that even though I’m not an applicant I felt that their website might have some privacy issues that they needed to address.

            1. A Bug!*

              I think what gets me most is that it’s the best applicants who are most compromised by this error, because those are the people who bothered to write useful cover letters.

      1. Anonymous*

        This bit:

        “There’s a section of their website (at …XXXXX)”

        was enough for me to find the site

  2. Ughh*

    Yeah I really hope it’s an error. I would remove my application and let them know and wait for it to be fixed. If it’s not an error I would not apply.

    1. fposte*

      There’s also been a rash of spam postings on the board today, so clearly the vulnerability has been exploited. I’m another saying it’s best just to take the image down ASAP.

      1. A Bug!*

        I’m wondering if it’s set up so that the form results just get submitted to an e-mail address, and that e-mail address has been picked up by spammers.

  3. belle*

    Yeah even with the little information still showing I was able to find the site. The page looks overrun by spam, but at least personal information is gone.

    1. MW*

      +1

      I admit I took it as a challenge to figure out what group this was. I was just about to post something similar. Viewing the application gives quite the text box. It is an improvement over the personal info. I hope the company notifies applicants of the breach.

  4. Ask a Manager* Post author

    I redacted the remaining potentially identifying thing that I’d previously left in the graphic (a very generic applicant name). Solved?

    (I was so excited to get to have a graphic for once!)

    1. MW*

      Alison – I’ll email you what I used to google what I think the company is. If it is correct, I do suggest you take the graphic down.

      1. MW*

        I used FB to message you. I didn’t want to leave the phrases in the comments if I’m correct.

        And this is quite the lesson in online privacy and how easy it is to locate something. I’m shocked.

        1. Penny*

          This Christmas, I was sending cards for the first time and realized I didn’t have addresses for some friends and family members so I figured, let me try Googling their names and city (or at least the nearest city I know). Yeah, got all their names, people they may know (usually their spouses or children), age, address, previous cities lived in, a map and image of their house. I was able to confirm it was them by recognizing the house. I was shocked how much I could find with a simple search! A little scary!

    2. The Wall of Creativity*

      I needed the applicant name to find the page. Without the applicant name, I looked through 4 pages of search results and found nothing.

        1. A Bug!*

          I didn’t even need to use a date. The three sets of words in the top left, with quotation marks as appropriate, were enough to bring it up for me. But again, I don’t know how to ensure that my previous searches aren’t tainting my current results; I used a new tab but I didn’t close out Chrome entirely.

    3. A Bug!*

      I hate to be a downer when you’re so excited, but I took the applicant’s name out of my search terms and that page is still the only result that comes up. I don’t know if my prior searches are tainting the current results, but I would expect more results to have come up even if that were the case.

    4. ThursdaysGeek*

      Taking down the graphic was probably wise, but the spam started days before you posted this, so don’t feel too bad.

      1. J*

        I too was able to find the web page using only the words in the graphic. A Google search returned what I was looking for on the first page of results.

      2. A Nonny Moose*

        Yep, I also easily found the site with just the information left in the graphic. Maybe redact the dates, too? But, the safest thing would be to take it down.

      1. S.K.*

        I was still able to find it (I hadn’t looked before, so my search results weren’t tainted). I had to try a few times but if someone is actually trying, the image above is still enough, even as out-of-date as it is.

        On the other hand, I doubt it matters much at this stage. The barn door’s been open for awhile.

        1. TK*

          I did searches using just information that’s still there, and found it on my second try (after adding more words and putting things in quotes).

          1. TK*

            Actually, my third try. The first time I didn’t use the dates. I’m pretty sure the dates are what’ll get you there.

      2. Laura*

        I was able to find it Googling just the various heading/instruction phrases, in quotes, as was said up-thread. :|

        I’d bet the killer is the phrase immediately above the drop-down about filtering – how likely is that to be on public web pages?

    5. You Can't Hide Online*

      Still was able to find it with minimal Google-fu…

      A text search using all the column labels and other text on the page brought me there in about 30 seconds. Third hit on the list of results.

      1. Indeed*

        It did. Taking the dates out of the graphic would probably help, but they definitely f’ed up their share point site.

  5. A Jane*

    This reminds me of a time a non-profit used a Google spreadsheet to have applicants sign up for an interview time. They gave everyone unlimited access, so not only could I see who else was applying, but I could also edit their contact information! Definitely did not go forward with the interview process.

  6. A Bug!*

    Internet Detectiving aside, this is a terrible breach of privacy and I’d be very concerned with respect to potentially working for them.

    That set-up is extremely sloppy work, and if the person who created it is involved with anything requiring confidentiality I’d run screaming in the other direction.

    Unless I were an IT/web dev person, in which case I’d send them an e-mail regarding the job opening that must surely be impending.

    1. S.K.*

      I would be even more concerned that the page is *still* up, hours later. (or even days later, depending when the OP wrote in). Making a mistake is one thing, but how does this not get fixed IMMEDIATELY?

      1. fposte*

        My guess: it’s a bureaucratic organization, and the request is percolating through the system; I bet there’s also some confusion over how to make the site non-public but still accessible internally, too (especially if it’s supposed to be directly available to applicants), and the people who’ve heard about the exposure aren’t willing to take the risk.

  7. Sydney Bristow*

    Oh my goodness! Personal information aside, now your boss could know you’re job hunting and where.

    If it isn’t a mistake, which it has to be (right?), its so crazy that I’d remove myself from consideration and do whatever I could to get them to take my info down.

  8. Jake*

    This doesn’t shock me that much. Especially if it is smaller company. I currently work for a company that posts all kinds of things on the website that would have been behind several layers of security when I worked for a fortune 500 company. A lot of this stuff is pretty confidential in the sense that the client always writes into their contract that these documents are for official use only. However, nobody at our company or client gets too uptight about it.

    This is terrible, but I bet it happens far more than anybody realizes.

    1. Poe*

      I once applied for a job in a department at a university that dealt with a LOT of confidential data, and while Googling around for info on the department, I found a wiki they had set up that was publicly available. It contained screenshots from their database with names barely blurred out. I confess I used the wiki to obsessively study for my interview, though I also sent an anonymous note (via a “contact us” form) that this was available online and likely was not meant to be. Yes, I got the job.

  9. Joey*

    Nice. I wonder if any of those candidates would actually accept if offered after seeing this. Somehow I think some would.

  10. Gene*

    OMG! I thought it couldn’t get worse. I poked at the info for a bit and not only is all the contact info there, but the email addresses are clickable! That pretty much guarantees that the spammers have the applicants’ email addresses now. None of my webpages use the “mailto:” tag, it’s spammer bait.

  11. Jamie*

    I agree with everyone saying this has to be an error – they must have meant this to be available internally only and made it public facing.

    But if it was a mistake I don’t get this part

    There’s a section of their website labeled “Applications” in which you can search by type of position, then click on anyone’s name and see their cover letter

    Did this look like the rest of the site? Was it formatted in the same design, etc? Because if I were to put confidential info on the website (and I wouldn’t, that’s what a secured intranet is for) I wouldn’t bother making it pretty – just bare bones functional.

    If it was basic html or whatever I wouldn’t have any doubts regarding the error.

    I hope no one who applied has bosses or nosy co-workers who google them for spite – this really sucks and the unprofessionalism just offends me.

    1. V*

      This looks like the interface for the applicant tracking system InterviewExchange, actually. So perhaps it’s somehow been made public?

      1. Jamie*

        That would make sense – so they probably didn’t know it was facing forward. Sloppy not malicious – damaging either way.

        1. fposte*

          So when you get there from Google, are you getting the spammy filename in the URL? Do you know what kind of vulnerability they’d have to have in order for that to have been created?

  12. Ruffingit*

    Super easy to find this site and wow, this is awful! I think someone should not only email, but also call and let them know about this. Call HR or someone.

  13. Canadamber*

    I’ve been Googling too, and I just found it. I used this search term:

    REDACTED (BY ALISON, FOR APPLICANTS’ PRIVACY — SINCE THE COMPANY HASN’T FIXED IT)

    1. amaranth16*

      My God, that locates it for me, too. I can’t believe Alison called an hour and a half ago and they still haven’t figured out how to take it down.

    2. Windchime*

      Yeah, this worked for me too. I wonder if this comment should also be edited or removed. We don’t want to perpetuate the problem.

  14. Ask a Manager* Post author

    I just called and talked to them. They didn’t know it was happening, it’s not supposed to be happening, they’re alarmed, and they’re going to figure out how to fix it.

    1. Jamie*

      I hope they know to contact Google – Google has a process for clearing the info faster than it would organically fall off with just removing the page for when confidential information was inadvertently published.

      I think it’s so awesome that you called. :)

      1. Ask a Manager* Post author

        The second minute of the conversation went like this:

        “Who are you again?”

        “I write an advice column and someone wrote to me about this.”

        (confused silence)

        I think people are not used to what was essentially “hi, I’m an advice columnist, and I have some advice for you!”

        1. Loose Seal*

          ”hi, I’m an advice columnist, and I have some advice for you!”

          This completely tickled my funny bone. Also, I think it’s very nice that you called to let them know.

        2. Catzie*

          That is hysterical. Imagine their dinner conversations tonight:

          “So this advice columnist called me today…”

        3. College Career Counselor*

          That put me in mind of this exchange from Police Squad:

          “Who are you, and how did you get in here?”

          “I’m a locksmith, and….I’m a locksmith.”

        4. Windchime*

          I’m a little hurt and confused that you didn’t call me last week when I needed advice, Alison. Hah! :)

        5. Mephyle*

          There will need to be a whole new category for this one at the year-end “most _______ post” round-up!

          And it’s about 6 hours later, and it’s still up, with all the applicant’s letters and clickable e-mails.

    2. Anonicorn*

      Good on you. I hope they can fix it soon, as it’s quite late in the afternoon and I can still locate the site and see the applicant information.

  15. You Can't Hide Online*

    Not to invade privacy but – ok, well I guess that’s what you’d be doing, no way around it – this is potentially a great data set for you, Alison.

    If someone took 30 minutes and copied down all the cover letters, you’d probably notice some amazing trends. How many simply don’t write one, the rarity of a truly well-written one, etc.

    Couldn’t help but have that thought pop into my head when I saw this!

    1. Ask a Manager* Post author

      It’s true, but fortunately I get access to similar data sets just by doing hiring for clients (and previously for myself) so I’m going to pretend that I cannot see this one :)

      1. You Can't Hide Online*

        Of course you do. D’oh.

        That said, I will note that I made a few cursory clicks to verify I found the site being discussed here and, yeah, wow. Tons of cover letter-less applications and some, uh, very interesting email addresses.

        My point to everyone here that’s not Alison – not that we didn’t already know this, but she’s 100% spot-on when it comes to the insanity that appears in application inboxes.

        P.S. Way to be responsible and ethical and all that! :)

        1. GH*

          Yeah, I clicked on a few out of curiousity too and was fascinated by the instantly clear difference between a good cover letter (“I have 10 years experience at doing “) and a wasted one (“I would like to give you a summary of my strengths, which I believe are a good fit for your needs. “) Obviously this breach is a bad thing but the examples are very educational.

          1. GH*

            Ugh, I used angle brackets in my comment to set off some phrases and they were interpreted as code so my post is missing key phrases. Sorry everyone! The conversation has moved on appropriately so I won’t bother reconstructing the missing bits. You can go about your business.

        2. Anon*

          I don’t understand people who write completely eloquent cover letters and then list their email address as (changing this spelling only slightly to protect the guy’s real email address) hog 4 christ at yahoo.com.

          REALLY? You can’t take two seconds to come up with an email address that involves your name instead? (And, secondarily, you’re applying for a digital communications job and you’re using a YAHOO email addy? Not the biggest problem, though, I know.)

          1. FRRibs*

            I think some folks look at their emails as an extension of their online identity and not as a t-shirt that can be changed to be appropriate for the venue (an outdated view of course).

            I had a personal email address I carried from the beginning of hotmail (1997 or thereabouts); at the time I didn’t think of having multiple emails for different uses…which led to one interview where the fellow opposite me was more interested in the story of how I decided on closet_goth as an email address than in interviewing. Sadly I lost the password and wasn’t able to recover it from MS, so 15+ years of emails are just floating out there.

          2. Anonymousss*

            The applicant with that email address ended up getting hired, if you take a look at their Staff page. While he did put effort into writing a cover letter (most applicants did not), it was sprinkled with grammatical errors and some poor word choice. For someone who indicated in the cover letter that he considered writing to be a strength of his, I would have been left scratching my head if I were the hiring manager. Still, he could have been their best applicant to choose from. (I did not see any other cover letters for that position.)

    2. Jamie*

      Ethically you can’t do that – but the stats geek in me would love empirical data on this (overall – not this position.)

      In my industry for entry level positions a cover letter of any kind is about 20%. 99%+ percent of those are form letters because they are applying through one of the employment agencies with whom we work and they are all the same. You might as well not even use one.

      For every couple of hundred applicants we’ll get a handful of custom written cover letters. Less than 10. Of those about half are a cut and paste of the ‘objective’ section of their resume (which is another issue). So literally for every 200-300 applications/resumes sent in we’ll get 2-3 custom cover letters that are well written. Every one of those people gets a call back because they are such the purple squirrel.

      Stats are much different for office jobs – but it goes to show even for factory work it really helps. It’s not necessary technically, because if you only hired those with good cover letters you’d have 6 people, but it helps so much I cannot even tell you.

      1. You Can't Hide Online*

        Yeah, I’m not involved in hiring at all but stats like that always…

        a) blow my mind, and
        b) make me feel so much better when I’m taking the time to write said letters while applying for a job!

        1. Felicia*

          Me too! I write custom cover letters for every position, so this makes me feel better about my chances.

  16. Mochafrap512*

    Allison, I sent you a FB message. I know you’re excited about the graphic and I have many questions. I personally will send you a question with a graphic, but please take down the one above.

    1. Ask a Manager* Post author

      I’m not currently somewhere where I can take it down right now but will when I’m able to. But more importantly, the company needs to take it down.

        1. GH*

          Have they? It’s still there for me — both the version with the spammy url, and the truncated version.

        2. fposte*

          Just to be clear–you’re saying they took your particular materials off, right? Because the site is still loading for me with candidate info.

          (Weird that they’re taking individual info off but not making the site private.)

          1. Mochafrap512*

            I see it now. This is scary because people’s personal addresses are available. It would be easy to “wipe out the competition.” I think the company needs a new IT person. Anyone else agree? Lol

  17. Question-Asker*

    AAM, thank you for calling them! Interestingly, though, as soon as I came across this site (well over a week ago) I became quite concerned about my internet image since I’m in the midst of a job search. I frantically emailed 3 people at the company – the Communications / Web Specialist, the Workforce Development Manager, and the “Email Us” link at the bottom of the webpage – asking them to please remove my personal information from their public website. Within a day or so, my name and cover letter had been removed, but the site remained functional.

    So, even if this was a programming mistake or otherwise unintentional, they really shouldn’t be acting “alarmed” and claiming that they didn’t know this was happening.

    1. Ask a Manager* Post author

      Wow, yeah. Although I spoke with their receptionist and it’s possible that she just wasn’t in the loop but someone else was on it.

      … Except that not really because if they knew of the issue enough to take yours down before today, they should have taken the rest down too.

      1. fposte*

        I’m wondering if there hasn’t been an additional complication. When I get there off of a Google search, the URL displays an additional and *very* spammy subdirectory filename that’s highly unlikely to be original. (If I take the spammy subdirectory filename off, I get the same document, so it’s still public, unfortunately.)

        I don’t know what you’d have to be able to do to spamjack a filename, but it looks like it’s been done.

    2. Jessica (tc)*

      Ouch, yeah. This makes it even worse in my mind…and it’s still up. :(

      The fact that the search bar is bringing up applicant information from the main screen is doubly concerning. I hope they take your call seriously, Alison!

  18. Jubilance*

    Wow and it’s still up, I just found it. I truly hope they are taking this seriously and not just giving it lip service. Maybe if someone tipped Gawker to this, they’d take it down faster.

    1. Kerr*

      Still up for me, too. Wow. In this case, I would *not* contact Gawker. The applicants’ info is still up, and IMHO their privacy should be considered paramount, not shaming the company while all of that info is still floating around. Yeah, the barn door has been open for a while, but it hasn’t been publicized until now. If I were one of those applicants, I would be angry with the company for letting it happen, but doubly angry with someone who thought it was their “duty” to blast that data to even more potentially skeevy corners of the Internet.

      1. Kerr*

        In addition, I imagine that a number of people might start poking around to see what other vulnerabilities they could find, while an evidently slow-moving, non-tech savvy organization is left scrambling. Obviously, they need someone to do a lot more checking and barn-door-closing, but probably not this way.

  19. fposte*

    Oh, holy cow. I put the base domain and job apps directory into Google and there’s massive spam being generated off of that URL, and it looks like that’s been the case for several months. They’ve left a big hole open somewhere, and I’d say the exposure of the candidates’ info may not be their biggest problem.

  20. Anon*

    Looks like the whole site is poorly done. Using the search box on the sites home page resulted in people’s applications when I used words appearing in the applications… even applicant names.

    1. fposte*

      Except for the fact that people on there really are trying to get a job and need the users to see their materials, so it would be really nasty to them. And people who set up a site like this aren’t going to be feverishly working through the night to fix things–I’ll be a little surprised if it changes any time soon, to be honest.

  21. PGH*

    It’s still up, as of 10:40 pm. And an earlier Google cached page for this particular post on AAM is also still up, which is how I was able to find the URL to search for and access the website.

    I’m not sure if one of the applicants in the database they ended up hiring (found via About >> Staff) is in charge of this, but the last entry in the database does long predate this person’s application.

  22. Poe*

    Is anyone else really freaked out that this is a healthcare organization with information security issues?

    1. Mochafrap512*

      I think they should ask Alison for advice on how to get a new IT person, but in all seriousness this is dangerous. Personal addresses appear to be listed for some of them. It would be easy for someone (insane, obviously) to “wipe out the competition.”

      1. fposte*

        Sure, but people’s names and addresses are also available in whitepages.com, so I really don’t agree that this is dangerous. Tthere’s a reason why what they’re doing isn’t illegal, after all–there’s been no judgment that it needs to be. The likeliest risk if if people haven’t told their current job they’re searching and they get found out–or that people with a really good cover letter will get copied.

        1. Anon*

          If their cover letter is on display, what makes you think that their other information isn’t easily hackable? If this is being shown, I can bet you there are other vulnerabilities.

          1. fposte*

            Because you don’t need to hack to get the information that’s on display. You just need to look. What makes you think an organization this clueless would have managed to hide the rest of the information if it were in the same system?

      2. You Can't Hide Online*

        Per another comment upthread, they actually *have* hired someone in IT – someone whose information is still available on the application site. Oof.

  23. Random Reader*

    Still up! AAM, the comment further up with the dates brings it straight up for me. Curious as I was to see it, that does rather thwart all the attempts to maintain anonymity.

  24. Longtime Lurker*

    AAM, please do remove the post above (by Canadamber) containing search terms. It’s just adding insult to injury for those job applicants.

    1. fposte*

      If that’s going to happen, PGH’s post providing alternative finding guidance should probably also go.

      1. Canadamber*

        Yeah I was gonna chime in about my post, but I’m glad to see that it’s been dealt with already. Thanks, Alison! :)

  25. EntirelyOutThere*

    Additionally people can search by job title for what positions applicants are applying for specifically. (Ironically no applications for IT!)

      1. Trixie*

        Probably search engine caching. If the admins of the site want to do a thorough job of removing the info, they’ll need to contact the search engines and get them to remove the info from their caches. They may have already done so, but it takes time to complete.

  26. EntirelyOutThere*

    Not sure where you’re getting it is fixed? I go to the direct link and it still displays the old information without searching.

  27. fposte*

    And the site’s been updated–but only to remove the spam influx of January. All the job info has been helpfully left up, and the spam subdirectories are still active.

  28. fposte*

    Belated update–I happened on this thread again and checked, the site has finally blocked external access.

Comments are closed.